Proton and all they do was always an obvious attempt at making money off of non tech people that care about their privacy but dont know what to do.Their stuff might be free now but from how much vendor lock-in they are building into their software its quite obvious to me.
Their services are counter to all the best practices of security by design. If they spent all this time on improving existing secure systems and making them more user friendly they would have a much more positive impact.
Do you mind expanding on this? I recently moved away from Gmail to Proton in an attempt to be more privacy conscious and don’t really know of any alternatives. Even at a paid tier I only use Proton for their email services.
I would say I’m generally tech savvy but new to the whole privacy space. What better alternatives are there?
Just use any other email provider that works for you and use standard OpenPGP to encrypt your emails.
This is how email end to end encryption (e2ee) usually works.
As long as the emails are properly e2ee, no email provider is “more private” than others. They can always see who your are emailing and when. Proton is still forced to give out all your metadata to the cops just like any other service.
Also if whoever you are emailing isnt using protonmail, or another PGP compatible client, then your emails arent actually encrypted at all.
For work emails the other party usually wont be using any of that so there is no point, for personal stuff i would honestly use standard messengers that have encryption built in like matrix, signal, session.
If you want e2ee email tho, then on desktop Thunderbird has all the OpenPGP stuff built in and for mobile there is the K9-Mail client that can be coupled with the openkeychain plugin to offer encryption.
There are also things like DeltaChat that allow you to use email in an instant messaging style format while using the same encryption keys that you use for standard emails. But tbh thats not what email is intended for, i would just use matrix for that.
Protonmail is a decent attempt at offering “easy to use” encryption but by doing so, makes it overly complex from a software security and compatibility standpoint.
With e2ee you want to have the absolute minimum level of complexity and code to make it easy to audit and understand. PGP has been the standard implementation for email encryption for decades. Any attempt to “expand” on this by implementing fancy web based shenanigans undermines the simplicity and inter compatibility of the preexisting email encryption ecoystem that everyone has been using.
Thanks so much for sharing! You gave me some good info to start looking into. I appreciate your help! I was getting a little weary of Proton when they announced the AI nonsense and now the crypto wallet really seals the deal. Doesn’t feel good knowing my money is going to develop buzzword features instead of fixing the existing issues in their current products.
This stuff is hard to get into, especially so if you don’t already know all the specific terms to find what you are looking for.
But having control over your own data and being able to decide where it resides is worth the effort to me.
If your goal is secure communication with other tech-savvy, privacy conscious people, then I agree that PGP is a reliable, time tested solution.
But if your goal is to keep email providers from data mining your inbox, then Proton is an easy way to do that, no matter who you’re communicating with.
How can proton protect your unencrypted emails? Unless you are writing someone that also uses protonmail or pgp, the emails wont be encrypted. This is barely an advantage at all over the existing system. You are just telling people to depend on this single point of failure, which is proton.
You cant expect everyone to use protonmail, that would be unwise from a decentralization standpoint. The real solution is only using email for people that are unwilling or unable to use something other than email. For everyone else you should simply switch to different communications protocols that was made with e2ee in mind.
I think we mostly agree, and I appreciate you advocating for secure alternatives and privacy in general!
How can proton protect your unencrypted emails? Unless you are writing someone that also uses protonmail or pgp, the emails wont be encrypted.
That’s true. Proton can only encrypt your inbox in that case.
This is barely an advantage at all over the existing system.
I disagree. Having my inbox encrypted and using an email provider that doesn’t mine my data is certainly worthwhile for me.
You are just telling people to depend on this single point of failure, which is proton.
You cant expect everyone to use protonmail, that would be unwise from a decentralization standpoint.
I’m not advocating Proton over other, more secure and private communication methods. My point is that, if you’re choosing an email provider, Proton is a good choice. They’re a nonprofit whose mission is privacy, and they spend considerable technical effort to ensure it.
I would hate to see someone switch from Proton to Gmail or some other provider that doesn’t offer any privacy because they mistakenly think all providers are the same.
The real solution is only using email for people that are unwilling or unable to use something other than email. For everyone else you should simply switch to different communications protocols that were made with e2ee in mind.
To the extent that’s practical, I strongly agree. As you correctly point out, email is a plaintext protocol, and there’s nothing Proton can do about that.
But if you do use email and not all your contacts have exchanged PGP keys with you, which I’m sure is true for many people, then I think there’s a lot of value in using a provider that offers an encrypted inbox and doesn’t mine your data.
Proton and all they do was always an obvious attempt at making money off of non tech people that care about their privacy but dont know what to do.Their stuff might be free now but from how much vendor lock-in they are building into their software its quite obvious to me.
Their services are counter to all the best practices of security by design. If they spent all this time on improving existing secure systems and making them more user friendly they would have a much more positive impact.
Do you mind expanding on this? I recently moved away from Gmail to Proton in an attempt to be more privacy conscious and don’t really know of any alternatives. Even at a paid tier I only use Proton for their email services.
I would say I’m generally tech savvy but new to the whole privacy space. What better alternatives are there?
Just use any other email provider that works for you and use standard OpenPGP to encrypt your emails. This is how email end to end encryption (e2ee) usually works.
As long as the emails are properly e2ee, no email provider is “more private” than others. They can always see who your are emailing and when. Proton is still forced to give out all your metadata to the cops just like any other service.
Also if whoever you are emailing isnt using protonmail, or another PGP compatible client, then your emails arent actually encrypted at all. For work emails the other party usually wont be using any of that so there is no point, for personal stuff i would honestly use standard messengers that have encryption built in like matrix, signal, session.
If you want e2ee email tho, then on desktop Thunderbird has all the OpenPGP stuff built in and for mobile there is the K9-Mail client that can be coupled with the openkeychain plugin to offer encryption.
There are also things like DeltaChat that allow you to use email in an instant messaging style format while using the same encryption keys that you use for standard emails. But tbh thats not what email is intended for, i would just use matrix for that.
Protonmail is a decent attempt at offering “easy to use” encryption but by doing so, makes it overly complex from a software security and compatibility standpoint.
With e2ee you want to have the absolute minimum level of complexity and code to make it easy to audit and understand. PGP has been the standard implementation for email encryption for decades. Any attempt to “expand” on this by implementing fancy web based shenanigans undermines the simplicity and inter compatibility of the preexisting email encryption ecoystem that everyone has been using.
Thanks so much for sharing! You gave me some good info to start looking into. I appreciate your help! I was getting a little weary of Proton when they announced the AI nonsense and now the crypto wallet really seals the deal. Doesn’t feel good knowing my money is going to develop buzzword features instead of fixing the existing issues in their current products.
Good luck with your software endeavors!
This stuff is hard to get into, especially so if you don’t already know all the specific terms to find what you are looking for. But having control over your own data and being able to decide where it resides is worth the effort to me.
The problem is that almost no one uses PGP, as this vice article points out: https://www.vice.com/en/article/vvbw9a/even-the-inventor-of-pgp-doesnt-use-pgp
If your goal is secure communication with other tech-savvy, privacy conscious people, then I agree that PGP is a reliable, time tested solution.
But if your goal is to keep email providers from data mining your inbox, then Proton is an easy way to do that, no matter who you’re communicating with.
How can proton protect your unencrypted emails? Unless you are writing someone that also uses protonmail or pgp, the emails wont be encrypted. This is barely an advantage at all over the existing system. You are just telling people to depend on this single point of failure, which is proton.
You cant expect everyone to use protonmail, that would be unwise from a decentralization standpoint. The real solution is only using email for people that are unwilling or unable to use something other than email. For everyone else you should simply switch to different communications protocols that was made with e2ee in mind.
I think we mostly agree, and I appreciate you advocating for secure alternatives and privacy in general!
That’s true. Proton can only encrypt your inbox in that case.
I disagree. Having my inbox encrypted and using an email provider that doesn’t mine my data is certainly worthwhile for me.
I’m not advocating Proton over other, more secure and private communication methods. My point is that, if you’re choosing an email provider, Proton is a good choice. They’re a nonprofit whose mission is privacy, and they spend considerable technical effort to ensure it.
I would hate to see someone switch from Proton to Gmail or some other provider that doesn’t offer any privacy because they mistakenly think all providers are the same.
To the extent that’s practical, I strongly agree. As you correctly point out, email is a plaintext protocol, and there’s nothing Proton can do about that.
But if you do use email and not all your contacts have exchanged PGP keys with you, which I’m sure is true for many people, then I think there’s a lot of value in using a provider that offers an encrypted inbox and doesn’t mine your data.